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Abstract 

Let Er be a family of hyperelliptic curves over Fj' 6 cl with general 
Weierstrass equation given over a very small field F. We describe in this 
paper an algorithm to compute the zeta function of E^ for y in a degree 
n extension field of F, which has as time complexity 0(n 3 ) and memory 
requirements C(n 2 ). With a slightly different algorithm we can get time 
0(n 2 667 ) and memory 0(n 2 5 ), and the computation of 0(n) curves of 
the family can be done in time and space 0(n ). All these algorithms are 
polynomial in the genus. 

1 Introduction and results 

The problem of counting rational points on curves over finite fields has received 
much attention during the last decade, and many algorithms have been pro- 
posed. For an overview of these results and their relevance we refer to [51 115|. 
(Hyper)elliptic curves over finite fields of characteristic 2 are particularly inter- 
esting due to the fact that computers can work very efficiently with them. 

For elliptic curves Mestre has presented an algorithm using the arithmetic 
geometric mean (AGM) that works in time C(n 3 ), and Lercier and Lubicz J2| 
extended and improved it to 0(n 2 ) and very small genus > 1. Kedlaya presented 
in [7] an algorithm to compute the zeta function of hyperelliptic curves of genus 
g in odd characteristic in time 0{g n ) using Monsky-Washnitzer cohomology, 
and Denef and Vercauteren [2] extended this to characteristic 2. 

On the other hand Lauder JT] and Tsuzuki ^1] introduced deformation 
in the story of point counting, and in |H] we followed a suggestion of Lauder 
to combine deformation with Kedlaya's approach. In this paper we extend this 
result to characteristic 2, thereby reconciling Denef and Vercauteren's work with 
deformation. 
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In Gerkmann also considered a deformation approach for elliptic curves 
in odd characteristic, and due to the easy form of the Weierstrass equation of 
an elliptic curve in characteristic 2 he was able to add this situation without 
much effort. For higher genus this equation is however more involved, and as a 
consequence the theory is technically rather different from the odd characteristic 
case, although the 'big picture' has a similar esprit. 

We will now present the results proven in this paper. Let ¥ q be a finite field 
with q = 2 a elements, 7 € F g n for some integer n, and g > 1 an integer. Suppose 
/, h <E W q [X, r] are in the form described in section I2"T1 which implies especially 
that for most 7 we get a hyperelliptic curve of genus g over F q n of the form 

E^:Y 2 + h(X,j)Y = f(X^). 

Define k := max{deg r /, deg r h 2 }. As is mentioned in 0, in this matter we 
have an 'average case' and a 'worst case'. This means that almost all curves 
belong to the first case, and some unlucky ones do not. In this paper we will 
often use the Soft-Oh notation O as defined in |T7|, which is essentially a Big-Oh 
notation that ignores logarithmic factors. 

The main result is the following theorem, to be proven in section [SJ 

Theorem 1 We can compute deterministically the zeta function of (the pro- 
jective completion of) E^ using 0(g 6376 a 3 K 2 n 2 + g 3 ' 37e a 3 n 3 ) bit operations and 
0(g 5 a 3 Kn 2 ) bits of memory 'on average'. For the worst case scenario one factor 
g is to be added to the terms with n 2 in them. 

By using some faster substitution algorithm it is possible to gain time, at the 
cost of an increase in memory usage. The result is the following. 

Theorem 2 There exists a deterministic algorithm that computes the zeta 
function of E 1 in 0(g 6 ' 376 a 3 K 2 n 2 + g 3 < 376 a 2 n 2 > 667 ) bit operations 'on average'. 
It requires then 0(g 5 a 3 ku 2 + g 3 a 2 n 2 ' 5 ) bits of memory. In the worst case again 
one factor g has to be added to both first terms. 

Theorem El together with the following result and an algorithm quadratic in n 
for a special situation with a Gaussian normal basis is proven in sectional In 
this theorem we did not pay attention to the dependency of parameters different 
from n. 

Theorem 3 Given 0(n) parameters 71, . . . , 7* S F g n , it is possible to find the 
zeta functions of all E^ t with 0(n 3 ) as time and space requirements. 

The bottom line of this algorithm is that in order to find a curve with some 
special size by trying a lot of curves, we can count on 0(n 2 ) as the time needed 
for one curve. 

This paper is organized as follows. In section [2] we provide the theory be- 
hind the algorithm, in it is explained the required special form of / and h, to 
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which we referred earlier. In section we have gathered some necessary results 
about certain 2-adic matrices and differential equations of them, required for 
the algorithm. More precisely, some trick is explained to compute the matrix 
of the connection and a particularly useful form of the differential equation, the 
convergence properties of Frobenius are investigated, and an important result 
about error control is established. The next section gives the algorithm and 
proves its correctness, and section [5] estimates the complexity, thereby proving 
theorem 1. Finally the last section mentions the improvements noted above, in 
particular theorems |21 and |3J 

2 Analytic theory 

In this section we will develop an analytic theory which combines the results 
from [2] with a deformation. Before we start let us define some notation used 
throughout the rest of the paper. Let a be a strictly positive integer, then we 
denote by ¥ q the finite field with q := 2 a elements. Let Q2 be the completion 
of Q according to the 2-adic norm, and Q q is the unique degree a unramificd 
extension of Q2. Denote with C2 the completion of an algebraic closure of (Q>2- 
The rings of integers of Q2 and Q q are written Z2 respectively Z g . The lift of 
the Frobenius automorphism on F q is given by a : Q q — > Q q . We extend a by 
acting as squaring on each appearing variable unless said otherwise. If A; is a 
field, then we mean by fc alg cl an algebraic closure of k. The derivative of some 
expression a with respect to X will be denoted by a' , and on the other hand 
Ijp is written as a. 

2.1 Introducing the deformation. 

Suppose we are given an equation Y 2 + h(X) Y = f(X) over F g which defines a 
hyperelliptic curve of genus g. As pointed out in [2] it is always possible to find 
in an efficient way an isomorphic curve over ¥ q given by Y 2 + h(X) ■ Y = f(X) 
subject to the following conditions. The degree of the monic polynomial / is 
2g+l and h is nonzero of degree at most g. If we factor h in its monic irreducible 
factors over ¥ q , h(X) = cj^* =1 ^(X) with hi irreducible, r, / and c € F*, 
define then H(X) := Yii=i ^iPOi the product of the irreducible factors of h. 
We require now that / = H ■ Q j where H and Qj are relatively prime. 

Define D :— maxr, so that h is a divisor of H D , and let be such that 
h ■ Qh = H D . Now we can lift the hi and Q j to hi and Q f over Z q such that 
they remain monic and the projection modulo 2 equals the original polynomials. 
As a consequence we can also define H , h and Qh with the same properties as 
in the finite field case. 

To introduce the deformation parameter T in the resulting equations, we 
allow Q f and the hi to be polynomials in Z g [X, T] such that they remain monic 
in X. Let r(r) be the resultant of H and Qf ■ |y = QfH' with respect to 
X. Then we require r(T) to be a polynomial for which r(0) does not reduce to 
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zero modulo 2, or equivalcntly T = gives a hyperelliptic curve modulo 2. The 
resultant determines for which parameters the result is a hyperelliptic curve, 
therefore we define the following subset of the set Teich(F2 lg cl ) of Teichmuller 
lifts of F* lgcl : 



S:= { 7 e Teich(F^ lg cl ) r( 7 ) mod 2} 



Lemma 4 For 7 G S the projected equation Y 2 + h(X, 7) • Y = f(X, 7) defines 
a hyperelliptic curve E^ over F^ c , with an equation of the form mentioned 
above. 

Proof. It is enough to show for a Teichmuller lift 7 that E^ has no affine 
singularities iff 7 G §. Computing the system of partial derivatives yields im- 
mediately that the existence of an affine singularity (x, y) implies that H{x) — 
h(x) — f(x) — y — and f'(x) = 0, and vice versa: these equalities give 
an affine singularity. As /' = Q'jH + QfH' we conclude that equivalently 

the system H — Q jH' — has no solutions, which in turn is equivalent to 
Resx (H,QfH') 7^ 0. The fact that the equation has the right structure is 
trivially checked. ■ 

The constructions above fail when h is a constant, in which case h ^ is 
equivalent with E^ being hyperelliptic for every 7. In this situation no resultant 
is needed, and for example 5" defined below will simply be Qg[r]T. We will not 
always mention the simplifications needed for this special case. The convention 
D = 1 in this case is best suited for the estimates further on. 



As final definitions, let p := deg r r(T), s := deg x (H) and n := max{deg r /, 
deg r h 2 } as defined before, and r\ := deg r H. 



2.2 The overconvergent structures. 

We define as in [Hj the necessary overconvergent structures. For r = Yli=o 

let p 1 be the largest index for which ord(r p ') = 0, and define f = X^=o r «r 4 . 
Hence r = r mod 2 and if the leading term of r is a unit in % q we have sim- 
ply r — r. The ring S will be the equivalent of the field Q q in Denef and 
Vercauteren's approach. 



5' 
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' f (r) 



Mr) 
(r)fe 



(Vfc) 6 fe (r) e Q,[r], 



deg6fe(r) < p' and liminf 



ord(bfc) 
1*1 



> 
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The last inequality in this definition is equivalent with the existence of real 
constant S > and e such that for all k we have ord(fcfc) > 8 ■ \k\ + e. As 
proven in |S| the fact that f is 'monic' implies that a general element of S can 

be represented as Y^iLo ai ^ 1 + S^li wnere we have liminf; ord(ai)/|i| > 
and liminfj oid(bj)/\j\ > 0. If f is a constant then of course S = QqlT]^ , and 
the parts with denominators disappear everywhere. We will not always mention 
this special case. The equality 
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OO 

E 

i=0 



r — r 



combined with the fact that r — f = mod 2 shows that 1/r e S. It is worth 
remarking that § doesn't change if defined using f, and S can still be interpreted 
as consisting of the analytic functions defined over Q 9 and convergent in a 
disk strictly bigger than the unit disk with small disks removed around the 
Teichmuller lifts not in §. The following important lemma is also proven in jS] 
and gives us control over the substitution of some 7 € S in an element of s G S. 
Remark that s("j) always converges. 

Lemma 5 Let s(T) — J2kez^k{r)/r(T) k g S. Suppose we have for infinitely 
many 7 € § that ord(s(7)) > a for some real number a, then also for every 
k e Z we get ord(bk) > a- 

Now we can define what will be the analogue of the dagger ring At. The last 
condition may look quite terrifying, but is a technical condition that implies 
that the sum ^ fe Sik is convergent and again an element of S. 



T := 



p 1 v v 1 

1 ) r (r)'^' 2 ' h(x 



J2i=o SikX 1 



EtZo4kX*Y 



(Y 2 -hY - f) 



H(X,T) k 



(Vi, k) sQ <E S, (Vi) 3C e Q q , S > s.t. with 



.(') _ 



fS(£) 



we have 



(Vfc,j) ord(C- S £-)>^(|fc| + b'l) 



In the case that H is a constant the sum over k is restricted to k 6 Z<o, which 
means simply that in this case no denominators with respect to X occur in a 
general element of T . We will write such a general element of T as 



E 

fcez 



U k (X,T)+Y-V k (X,T) 
H k 



where deg x Uk, 14 < s — 1 and liminfj md (Uk^Vk) ^ g j s no ^ narc j ^o expand 
the proof of lemma 14 given in such that it yields that T is an S'-algebra. 
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Let 7 £ § with 7 £ ¥ q i such that q' is minimal and F g C ¥ q i . Then we can 
substitute 7 for T in the above construction of T resulting in the vector space 
T(-y) over Q q i. We have just as in the odd characteristic case that T(*y) = A' 
with A* as defined in for the curve Y 2 - h(X, j)Y - f{X, 7) = 0. 

We define the derivative with respect to X on T by interpreting Y in terms 
of X. Using the equation in its original form and as (2Y + h) 2 = 4/ + h 2 this 
yields 

,_ f- h'Y 2Y + h _ f'h - 2fh> + (2f + hh')Y 

2Y + h ' 2Y + h Af + h 2 ■ 1 ' 

We indeed have that Y 1 £ T and can hence define the differential d := T — > 
TdX : t 1 — ► -j^dX. Let i be the hyperelliptic involution X X and Y i— > 
—Y — h(X, r) on T, then we have the following central proposition. 

Proposition 6 The module Hmw '■— splits into two eigenspaces under 
1, namely H\ IW for eigenvalue +1 and H^ IW for — 1. Both are free S -modules 
with basis respectively {^-dX} 3 ^ and B := {X'YdX} 2 ^ 1 . 

If H is a constant, the first basis is empty, or equivalently H^ IW is trivial. 
Proof. Let (U + VY)H~ k be a general term of an element of T. Writing 
U + VY = U + V(Y + h/2) and computing i(Y') = —Y' - h' we can readily 
check that % o d — dot, which gives the isomorphism Hmw — H MW ® H MW . 
Here U gives the first part and V(Y + h/2) the second part. The linear inde- 
pendence of the elements of the bases can be proven with lemma |SJ Indeed, 
suppose we have a linear relation J2 s i^i = f° r basis elements bi and Sj £ S 
where Sj =/= 0. The lemma then implies the existence of some 7 £ § such that 
Sj(j) =/= 0, which gives a nontrivial relation ^2si("f)bi = in the case without 
deformation, in contradiction with 

In order to reduce a general element 

Ui(X, Y)dX/H i + Vji x , T)YdX/H j 

of T, we consider as in four cases. First, the part with i < is an exact 
form, as integrating does not change the overconvergence property. Second, for 
i > we have the following formulae from 2 , where ri(T) := Kesx{H, H'), a 
divisor of r(T). Write x k r 1 (T) = A(X,T)H + B(X,T)H' , and by computing the 
differential d{B/H % ) we find 

tuc^u*, b : . Adx 

Repeating this we end with i — 1 — which cannot be reduced further, ergo 
the first basis of the proposition — and an expression without denominators H 
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which is an exact form. Next, for the part with j < we can use the following 
congruence 

X j (2f' + hti) + txi-^Af + h 2 )^j YdX = 0, (2) 

which has leading coefficient 2(2g + 1) + 4j/3 ^ 0. 

Finally we consider the case j > 0. Let h = HQh, then by writing x k r{T) = 
AH + BQ f H' we have 

— YdX = 
W 

1 / A B(jH'Q 2 H - 6Q' f - ZQ H ti) - B'(AQ f + Q H h) \ MX 
r yW- 1+ {Q-4j)W-* ) + rH ' 

Here the last part IdX/rH is some differential, invariant under the hyperelliptic 
involution. 

Although the above formulae allow us to reduce elements of T, they do not 
guarantee a priori that the reduced elements and the exact differentials appear- 
ing are overconvergent. We will prove this for the case j < 0, the other cases are 
similar — the basic idea being that the orders decrease with only logarithmic 
behavior and deg r and 'deg r ' increase at most linearly. Let our element of T be 
given in the form £\ >0 s 3 (T)X^YdX, where Sj(T) = £ t s l3 (T)f(Ty and — if 
necessary after multiplying with some constant — ord2(sy ■) > S(j + \i\) for some 
S > 0. It follows immediately from formula 10 that HX^YdX = J2 b fi(T)b+dg, 
where b runs over B, we have deg r fl < rej, whereas lemma 2 from 2 and lemma 
|S] above give that ord 2 /^ > — (3 + log 2 (j + g + 1)). It is clear that as the coef- 
ficients of the original expression grow linearly, we can ignore this logarithmic 
surplus of the reductions and hence suppose that the fl are integral. If we write 

oo 

j^sd^Ydx^Mm 

j=o beB 

then we must show that J^j s jfl *= We will prove that with Sjf£ — 
J2t a tj(r)^(r)' an inequality ord2(aitj) > holds, after which fact 10 and 

lemma 11 from [H] give the result. Expanding fl in 'f' gives fl — Ylf=o fi^ i 
where C — k/ p' . Hence for the order of atj we find (ignoring the fact that we 
should reduce the coefficients of the product modulo f at most once) 

Cj 

ord 2 (atj) > S(j + min \t - k\). 

It can then readily be checked that 0^2(04.,) > S(\t\ + (1 — C)j) for C < 1, and 
if C > 1 (in fact this could be forced) we distinguish between t > 2Cj, with 
oid 2 (a tj ) > S(±\t\ + Cj) and t < 2Cj, where ord 2 (a tJ ) > 2U+1U + 1*1)- For 
proving that g, coming from the exact differential dg, can also be chosen in T, 
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we need similar estimates using the full form of congruence (|2J) . This congruence 
reads © = 



1 /X- 3 ' 

-dl— (Af + h 2 )(2Y + h) ) -,/ 



h(2f + hh') + ] -Xi- 1 h(Af + h 2 ) 
2 b 



dX, 



as can be checked by using the equality (2Y + h) 2 = 4/+ h 2 . 
2.3 The differential equation. 

The goal of this section is to find the following commutative diagram: 



\f 2 \f 2 (3) 

Let us start with the definition of the connection V : Hmw — * HMwdT : 
t i— > j^dT. Similar computations as in the case of the differential d show that 
■J^ and V are well defined on T respectively H MW . The expression for ^ = Y 
is similar to formula QJ where ' is replaced by ' . 

The map F 2 : T — > T represents a lift of the Frobenius automorphism x 1— » x 2 
in characteristic 2, and is defined 1 as a on Q q , T ^ T 2 , X ^ X 2 and Y maps 
to the unique solution in T of F 2 (F) 2 + h a F 2 (Y) — f a = that is congruent 
to Y 2 modulo 2. It will follow from proposition El that with this definition 
F 2 {Y) actually sits in T. By extending F 2 with dX i-> 2XdX and dr i-> 2rdr 
combined with the following lemma we have the two maps F 2 from the diagram 
above. 



Lemma 7 The sum i{F 2 {YdX)) + F 2 (YdX) is exact. 

Proof. Our proof is rather technical, we will use the sequence Wk from the 
Newton iteration as in for which the approximation F 2 (Y) = Wk mod 2 k 
holds. Remark that this implies that F 2 (YdX) = 2XW k dX mod 2 k . We will 
show inductively for k > 2 that 

i{W k dX) + W k dX = 2 k - 2 h 2 dX mod 2 fc ~ 1 . 

As W 2 = (f a - f 2 - h a f)/h 2 + (h a + 2f)y/h mod 2 2 we find that i(W 2 dX) + 
W 2 dX = h a dX mod 2, and as h a = ft- 2 mod 2 this satisfies our relation. Now 
the iterative step reads 

h 2 W k+1 = -Wl + (h 2 - h a )W k + f a mod 2 fe+1 . 

1 In fact F2 equals a on T, but we prefer the notation F2 to be used for the big modules. 
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Computing h 2 (i(Wk+i) + Wk+i)dX mod 2 fc and using the fact that W 2 = 
f — h a Wk mod 2 fe yields the equivalence 

h 2 {i{W k+l ) + W k +i)dX = 2h 2 {i(W k dX) + W k dX) mod 2 k , 

which in turn gives our induction. 

It is possible to prove this lemma on a more conceptual level in the following 
sense: lifting from the coordinate ring of the curve in characteristic 2 to the 
Monsky-Washnitzer cohomology is functorial, and as Frobenius commutes with 
the involution below, it will also commute in the characteristic zero case. I 

Finally we have that the above diagram is commutative, which can be seen 
for example by looking at the action of Frobenius and V on power series. We 
can derive from this the central differential equation. Let F(T) be the matrix 
of the operator F 2 on H^ w , given by F 2 (6i) = J2k^kbk, and analogously let 
G(r) be the matrix of V. Using the relation V o F% = F2 o V on basis elements 
the following equation is easily obtained: 

F(T) + F(T)G{T) = 2TG a (T 2 )F(T). (4) 

We will come back later to the problem of solving this equation in a decent way. 

Suppose that we use the same lift to some Q q n (including r <— 7) in the 
algorithm of Denef and Vercauteren as we did here, then it is clear that if -F(O) 
equals their Frobenius in T — 0, the same will hold for F(j) for every 7 G S as 
F(T) is uniquely determined by J3J and F(Q). 

3 Behavior of matrices 

The theory in the foregoing section shows that the matrix of Frobenius ^(7) 
for some 7 € § can be computed by working over a small held (for finding 
F(0)) and solving the right differential equation. One way to do this is by first 
finding G and then using a recursive computation from equation However 
— as a general entry of G is not a polynomial in T but rather a power series — 
this would be rather slow, and in surplus we would need an expansion of V(6j) 
which would require 0(n 3 ) of memory. This section shows how to deal with 
this problem, and also gives an important estimate on F(T). 

3.1 Changing the matrices into some smaller form. 

Define v := 4/ + h 2 and u := v' /2 = 2/' + hb! . We construct a new basis for 
H^ IW as di :— vbi, the fact that this is a basis follows from proposition [5] The 
idea is that — as v arises as denominator in V&i — the basis {di} gives in some 
sense a nicer matrix for the connection. We have (by definition) the following 
matrices, where the right hand sides are obtained by reduction using formula 
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J2J- By (bi) we mean a column vector of length 2g with 6q on top. 



(di) 


= B • 


(bi), 


V(6i) 


= G ■ 


(h), 


V(di) 


= D 


(bi)- 



As follows from the preceding section the entries of G are elements of S, and 
it is not hard to see that the entries of B and D are polynomials in T over Q q . 
Using these relations and the equality V o d = d o V we find 

D ■ {h) = V (di) = B ■ (&,) + B • V = 5 • (h) + BG- (b t ) 

or in conclusion D = B + B ■ G. 



3.2 Adaptation of the differential equation 

If we combine the formula D = B + BG with the differential equation, we can 
find an equivalent equation where only polynomials of bounded degree — see 
lemma|Hl — appear. We can however even go further, namely we will argue later 
on that we need in fact r(r) M F(T) for some positive integer M. Knowing M 
we can find one 'small' equation which has as solution precisely K = r M FB -1 
and boundary or starting condition K(0) — Kq for some relevant Kq. 

We start with F(T) + F(T)G(T) = 2TG' J (T 2 )F(T), hence multiplying with 
B a on the left will remove G a . We suppress from now on the T and F 2 from 
the equations. 

B°F + B a FG = 2T(D - B) a F. 
Next we substitute KB — r M F, which after multiplying with r M+1 leads to 

(rB a )kB + (rB a )KD + (-MrB a + 2Tr{B - D) a )KB = 0. (5) 

An important property of this equation is that all coefficients consist of poly- 
nomials of low degree. As proposition will show B(0) is invertible, and hence 
it is possible to solve © using induction: write K = Y^i-K^ 1 , where K is 
known. Then we can find each Kk+i one by one from K^, Kk—i, ■ ■ ■ by looking 
at the coefficient of r fc_1 . Finally r 1 F is recovered as KB. 

3.3 Behavior of B and D. 

Lemma 8 For every i, j there holds deg r By < (2g+2)K and ord2(Bij) > —(3+ 
Llog 2 (5<7 + 1)J ) on the one hand, and on the other hand deg r Dy < (2g + l)K— 1 
and ord 2 (D l3 ) > -(3+ [log 2 {5g)\). 

Proof. We have for every i the equivalence 

2g-l 

(4/ + h 2 )X l YdX = B tl X 3 YdX. 
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The reduction formula © has to be applied at most 2g + 1 times, and each time 
deg r increases at most with k. Bounding the denominator naively would give 
the following product which we give a name to be used in the next proposition, 

P:=n(2(2, + 1) + ^Y 

which has order exactly 2<7 + 1. However, using lemma 2 of [2] gives the better 
logarithmic bound mentioned above. The results for D can be proven with 
similar estimates. ■ 



Proposition 9 For every 7 G S we have ord.2(det(B('y))) = 0. 

Proof. We will prove in a first step that 

det(B) ■ P = Res x {u,v), 

and afterwards some property of the resultant will show that for every 7 G § 
this last resultant has the same order 2g + 1 as P, which gives the proposition. 

Define ctj := X^u + (j /3)X : >~ 1 v for j := 0. . . 2g, then formula J2J reads 
oijYdX = 0. We will suppress YdX from the expressions during this proof, as 
they only make notation heavier. We define a square matrix M over Q q [P] of 
dimension 4g + 1 which will be represented as a polynomial with coefficients in 
Q q [r] and variables /io, . . . , /i2g, Ao, . . . , A2 g -i and X. It has total degree 1 in 
the set of variables Xi} and degree Ag in X. The entries of the matrix M are 
given by the coefficients of and XiX^ , enumerated in such a way that the 

first 2g + 1 rows correspond to /j,2g • • - MOj the next rows to A2 S -i ■ ■ ■ Ao, and the 
columns correspond to decreasing degrees of X. For example, the lower right 
entry is the coefficient of AoX°. We start with 

\ X°V + /i a + ■ • ■ + \2g-lX 2g ~ 1 V + H2g~\OL2g-\ + A*2g<*2 3 - 

By means of the transformation Xj <— A 3 — ((j + l)/3)/ij+i it is easy to see that 
the determinant of M is precisely the resultant Resx(u,w). 
The reduction process gives rise to formulae of the form 

j+l 

X j v = Bj(X)+J20ij<Xi, 

with j = . . . 2g, /% G Q q [T] and deg x B 3 (X) < 2g - 1. The coefficients of the 
Bj are exactly the entries of the matrix B. If we substitute these expressions 
in our polynomial, we find 

t 29_1 \ 
A0B0 + ■ • ■ + A 2 g-iB 2s -i + h»o + ^ Aj/3 j a + 
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29-1 \ / 2g-l 

J=0 / \ J=2fl-1 

With the substitution ^ <— /Uj + X^£ m ax(i-i o) ^j'Aj a g am the determinant 
doesn't change, and the result is 

XqBq + . . . + \2g-lB 2g -l + ^0^0 + • • • + ^2gCt2g- 

In this form the upper half of the matrix is in 'uppertriangular form', with P 
as product of the elements on the diagonal. The lower half of the matrix has 
on the left only zeroes, and on the right the matrix B appears (turned upside 
down and from left to right). This concludes the first part of the proof. 

Lemma 10 Let R be a ring and a, /?, 7 € R[X] with deg (3 — deg(/3 + cry), then 
Res x (a, 0) = Res x {a, ft + cry). 

This lemma remains true without the condition on the degree, given that a is 
monic. Otherwise the resultants agree up to an appropriate power of the leading 
coefficient of a. 

Proof. The matrix defining the second resultant can be achieved from the 
matrix defining the first resultant by adding to the rows according to (3 suitable 
multiples of the rows of a. These elementary row operations do not change the 
determinant. ■ 

We write Res x {v,u) = Res x {H,2f + hh') ■ Res x (4Q/ + {h 2 /H),2f + hh'). 
By the lemma and the fact that H and Q fH' are relatively prime we have that 
the first factor has order degH. Define h := h/H, then we have — as can be 



checked by writing ft, in a product of linear factors over Q^ lg cl of H — that h 
is a divisor of Hh! with integral quotient a. The lemma implies that 

Res x (4Q f + hh,2f' + hh')= Res x (4Q f + hh, 2f + hh'-(H' + a) (4Q f + hh)) 

= Resx(4Q/ + hh,2Q' f H - 2Q f H' - AQ f a). 

Remark that the coefficient of X 2g of the second polynomial in these equalities 
is always congruent to 2 modulo 4, and hence nonzero. 
The last resultant above equals 2 deg< ^^ times 

Res x (4Q / + hh, Q' f H - Q f H' - 2Q f a), 

and reducing this result modulo 2 gives Res x (hh, Q'fH— QfH'). Again using the 

lemma we find Res x (hh, —QfH') modulo 2, which is nonzero by construction. 
In conclusion we see that Resx(f , u) has an order of exactly deg Qf + degH = 
2.9+1. ■ 

A consequence of this proposition is an estimate on B^ 1 . Indeed, suppose 
2 £ B is integral, then the fact that the inverse of a matrix equals its adjunct 



12 



matrix divided by the determinant gives that the order of B 1 is at least — (2g — 
l)e. Together with lemma [S] we can conclude that, defining j3' := (2g — 1)(3 + 
Llog 2 (5 ff + 1)J) - O(glogg), we have ord 2 (B- 1 ) > -0'. 

3.4 On the convergence rate of F(T). 

Proposition 11 Let N E N and f(T) be an entry of F(T), reduced modulo 
2 N . Then there exist explicit constants xi = O(ND) and \2 — O(gKND) such 
that r Xl /(r) is a polynomial of degree at most \i- Also we have an explicit 
constant ip — 0(\ogg) such that ord2F(T) > —if. 

Proof. Recall from [2] the approximation W k to ^(F), also used in the 
proof of lemma □ By defining a k (X,T), 0k(X,T) such that W k = a k + Y [3 k ; 
A Q ,fc := (ak ~ a k ^i)/2 k ~ 1 and similar A^^ we can compute H 2D W k from the 
following formula of |2J. 

H 2b W k = Ql ■ {-Wl_ x + (h 2 - h a )W k ^ + r } mod 2 k . 
This gives as result: 

H 2b W k = -Q 2 h Y, ( A a.* A «*j + (/ - hY)A p ,iA Ptj ) 

l<i<j,i+j< k 

-YQl Y T+^A^Ap, -Q 2 Y 2^(A% i + (f-hY)A% i ) 

i+j<k 2i<fe+l 

+ (h 2 -h°)Q 2 h ]T 2*- 1 (A Qii + A 0ti Y) + Q 2 r mod2 fc . 

i<fe-l 

We start by proving that the numerators in W k — the right hand side of the 
equation above, expanded as an 77-adic series — for k > 2 have deg r at most 
Ak - B, with S := u) - n, A := lu + 5, B := A + 5, and 

lo := 2k + deg r Q 2 h + [(deg x f 2 + 2 deg x Q h )/ deg x H + 3]ry. 

Here u> = 2 A — B is a bound for the degree in T in W2, as can be checked by an 
easy computation. To prove the bound Ak — B we use induction and consider 
each term in the formula for W k above, for instance for QlA a ^A a j with i > 2, 
j > 2 we find as bound 

Ai - B + Aj - B + (dcg x Ql/ deg x H + 2)n < Ak - 2B + (. . < Ak - B. 

As A is also a bound for the numerators in W\ and i,j < k — 1 we have our 
estimate for all The term with 77 comes from expanding polynomials in X 
as series in H. 2 For the other terms a similar computation works, for example 
for QlfAp t we have, as 2i < k + 1, 

2Ai - 2B + k + [{deg x f + 2 deg x Q h )/ deg x H + 3]ry < Ak - B. 

2 The case where H is a constant is similar but easier. 
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In a second step we have to reduce Wf. in the cohomology. As F 2 (Y) 6 
Hmw we can cordhie ourselves to the part with Y in it. First we take some 
g(T)X r YdX , and reducing this by using formula adds less than rn as degree 
in r. Lemma 1 of [2] shows that X r has possible nonzero coefficient modulo 2 M 
only if r < (aM+b)s with as = 2(2.g+l-2 deg x h) and fos = 7deg x h-Z(2g+l). 
Take A/ such that M-(3+log 2 ((aM+&)s+.g + l)) > iV, then clearly M = 0(N) 
and lemma 2 of gives that it is enough to compute Wm for finding F2(Y) 
mod 2 N in H^ Wl at least for the part without denominators H. Thus the worst 
possible deg r comes from the term yu aM + b j which has deg r as most AM — B. 
During the reduction an extra (aM + b)sn can occur, and in conclusion the 
contribution of the part without denominator H is at most AM—B+(aM+b)sK. 

For the second part of F2(Y) we consider terms of the form VjH l YdX for 
t > 0. During the reduction from 1/H to l/H 1 ^ 1 the degree in X increases 
with at most s + 2g and the degree in T with at most 2gn. Also a denominator 
r(r) appears. In the end we also have to reduce as in the previous paragraph, 
starting from deg x at most £(s + 2g). Let a := AD and b := —6D, so that 
lemma 1 of 2 implies that modulo 2 M we only need t < aM + b. Then with 
M such that M - (3 + log 2 (M + 1))>N again M = 0{N) and from lemma 3 
of [2] it follows that suffices for this part. Hence the worst case here is the 
denominator ff aM + b ( where deg r is at most AM — B. All together this gives 
a degree in T of at most AM - B + 2gn(aM + b) + (aM + b)(s + 2g)n, and a 
denominator r aM+b . 

It is now easy to find the bounds from the lemma: the denominator is r aM+h 
with a = b = O(D) and M = O(N); and as bound for the degree we find 

max {AM - B + 2gn(aM + b) + {aM + b)(s + 2g)n, AM - B + (aM + 6)sk| . 

Using A = B = O(gn), s = O(g) and as and bs as before the lemma follows. 

Remark that we should in fact look at F 2 ( X % Y ) for % = . . . 2g — 1, but the 
possible increased deg r caused by this is absorbed in the rough estimates during 
the proof. 

In order to determine ip we need to combine lemmata 1, 2 and 3 of 
Choosing a modulus 2 k lemma 1 implies that the highest appearing degree of 
X in the F-part of ^(F) is less than (Ag + 2)k + g. Linked with lemma 2 this 
part gives then an order bigger than 

min (k - 3 - log 2 ((4 5 + 2)k + 2g + 1)) . (6) 

On the side with denominators we find as extremum ADk — 6-D, and lemma 3 
then gives the bound 

min(fc-3-log 2 (4L>fc-6L> + l)) . (7) 

Now we can take — ip as the minimum of (jSJ) and (J7J), and we sec immediately 
that (p= O (log g). ■ 
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Note 12 When implementing these results one finds that F(r) _1 , the matrix 
of the big Frobenius and -B -1 actually have also very good 2-adic valuation 3 , 
good enough to suggest a bound of 0(log<?) for them as well. However, we do 
not know of a way to prove this, but in [2] a heuristic argument is given for the 
big Frobenius. It is worth noting that a proof of these results would diminish 
all our complexity estimates by a factor g. 

3.5 Error propagation in the inductive computation. 

When solving the equation 

(rB a )kB + (rB a )KD + {-MrB a + 2Tr(B - D) a )KB = 0, K(0) = K (8) 

in an inductive manner, we could estimate the loss in accuracy in a naive way. 
However, already K — ^iKjT' 1 implies division by k for computing K^, 
and hence at least ord2((-/Vr — 1)!) would be lost as accuracy, assuming working 
modulo T Nr . It turns out to be possible to do better, as we will show in theorem 
1131 Some form of this theorem has been found independently from the author 
by Gerkmann 0]. 

Let —ip be the lower bound for the order of F(T) found above, and — ipo a 
bound for F(r) _1 . By lemma 24 in [5] — the proof of which is also correct for 
p = 2 — we can take ipo = f{2g — 1) + g. Denote with JC the solution of JSJ 
obtained by working modulo 2^ and starting with /Co = Kq = r(0) M FqBq 1 . K 
itself will denote the exact solution, hence K = r FB~ l , Finally we write Aq 
for r(0) M F o = K B . 

Theorem 13 With K := 2~ N ~{K -K) = Y,i we have 
ord 2 (K t ) > -(2g<p + g + 1) • log 2 (z + 1) - a, 

where a := (12<? - 1)(3 + Uog 2 (5. 9 + 1)J) + (10 9 - l)<p + 5g. 

Proof. We will prove this theorem in a number of steps. Let us first define and 
recall some terms. For ease of notation we write E := —MrB a + 2Tr(B — D) a . 
We know the following bounds: 

ord 2 (B) = ord 2 (B CT ) > -p := -(3 + Llog 2 (5 5 + 1)J ), 

and with /?' such that ord 2 (B _1 ) = ord 2 ((B <T )" 1 ) > -/?' as defined after the 
proof of proposition 1^1 we have f3 + j3' = 2gj3. The same way we have 1^9 + 1^0 = 
2gip + g. 

Definition 14 Let Ai be for every i > a (dxd) — matrix overC 2 andx,y E R. 
We say that a power series ^ AiT 1 converges (x, y)-logarithmically if for all i 

ord 2 Ai > -x\og 2 (i + 1) - y. 

3 This is also true for F(r)" 1 and the big Frobenius in odd characteristic. 
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To shorten notation we will often forget the word 'logarithmically'. 

Lemma 15 If^2 i A i T l and J2i-BiF l converge (x,y)- respectively (x',y')- log- 
arithmically, then their product converges as (max(x, x'), y + y'). 

Proof. The coefficient of T k in the product is ^ AiBj , summed over i+j = k. 
Hence the 2-order is at least 

-a;log 2 (z + 1) - x' Iog 2 (j + l)-(y + y'), 
and as log 2 (fc + 1) < log 2 (i + 1) + log 2 (j + 1), we find the lemma. ■ 

Lemma 16 Let C be the (exact) solution of CB + CD = subject to C(0) = 
Bq 1 , then C converges ((p + ip , f3')-logarithmically, and for C 1 with C 1 (0) = 
B we End (<p + <p ,(3). 

Proof. The matrix C := CB gives in fact the solutions around zero of the 
equation V = 0, or C" + C'G — 0, and from the diagram © we can deduce the 
equality 

c>°-(r 2 )F(T) = F(o)C(r). 

Now exactly the same proof as for proposition 25 in |B] gives that C' converges 
as (ip + ipo, 0). As B~ x can be considered to converge as (0, /?'), lemma IT51 gives 
the result. The estimate for C _1 = B(C') -1 can be proven in a similar fashion. 



We now give an estimate on the error propagation for two 'partial solutions' 
of the equation. Remark that we don't need these in the algorithm, only in 
this proof. A lemma with the flavor of the following one was first given by 
Lauder JHj; but we give a proof similar to our proof in Let C be the 
solution computed inductively modulo 2 N from the equation CB + CD = 
withC(O) =Bq X . 

Lemma 17 2~ N (C — C) converges (ip + ipo + 1, (3 + 2/3') -logarithmically. 

Proof. It is easy to see (a formal argument will be given later) that C satisfies 
CB + CD = 2 N £i with E\ some matrix of power series with integral coefficients. 
Let L be such that 2 N LC = C — C. Then we have the equalities 

2 N £ 1 =CB + CD-CB-CD = 2 N (LCB + LCB + LCD) = 2 N LCB 

and as a consequence L = £\B~ 1 C~ 1 . If we integrate L we find as integration 
constant Lq = 0, and hence 

2~ N (C -C) = LC=(J SxB^C^dr) C. 

As integrating is not worse then adding 1 to the logarithmic factor, we find the 
lemma. ■ 
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Let V and P be the computed modulo 2 N resp. exact solution of (rB a )P + 
EP = subject to P(0) = /, then a trivial computation shows that K = PA^C 
satisfies (JHJ- Now the previous results give that P = KC~ 1 A$ 1 converges 
(ip + ipo, /3 + /3' + ( y 9 + i J 9o)-logarithmically and the same holds for P _1 = A$CK~ X . 
Working similar to lemma IT7I shows that 2~ N (V — P) converges as (ip + ipo + 
1, 2/3 + 3/3' + 2(ip + tpo)). In this we use (rB a )V + EV = 2 N £ 2 . 

The proof of the theorem can now be completed by estimating JC — VAqC 
and VAqC — K and summing these terms. Denote the additive operator of |JSJ 
by A, hence © equals AK = 0. 

Lemma 18 2~ N {K, - VA Q C) converges (ip + (po + 1, 5/3 + 6/3' + 5<p + 4(/?o)- 
logarithmically. 

We will first show how to see that solving AK = inductively modulo 2 N 
amounts to A/C = 2 N £ for some integral matrix £ . For each k we compute JCk 
from 

[r(0)B^IC k B o + / fc (/C fc _i,£ fc _ 2 , . . .)] T k ~ 1 = 2 Ar (integral error matrix)r fe - 1 

for some linear functions fy. The sum over all these equations gives AK. = 2 N £ . 
Let L be defined such that 2 N PLAqC = JC — VAqC, then we compute 

2- N (AK. - A(VA Q C)) = A(PLA a C) = rB a PLA CB. (9) 

Using the same integral as before and the fact that 

A(VA C) = 2 N (rB°VA £ 1 +£ 2 A CB), 

wc find our result. Indeed, for 2~ N A{VA C) we find (<p + tpo, 2/3 + (3' + 2ip + tp ), 
and adding the inverse of the factors in the right hand side of © gives the 
lemma. I 

To control the difference 2~ N {'PA C - PA C) we add a cross term: 

2~ N (VA C - PA Q C + PA Q C - PA C) = 2~ N {V - P)A Q C + 2- N PA {C - C). 

The (tp + ipo + 1, 4(3+ 5/3' + 3ip + 2i^o)-logarithmic convergence of this difference 
is now clear, and taking the maximum of this result and the last lemma gives 
the theorem. ■ 



4 The algorithm 

In this section we give a concrete presentation of the algorithm. We suppose 
that the polynomials H(X,T), h(X,T) and f(X,T) are given as explained in 
section 2. The input for the algorithm is hence formed by these polynomials over 
W q — F 2 a and some allowable parameter 7 S ¥ qn . The output is the zeta function 
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of complete model of the hyperelliptic curve given by Y 2 + h(X, j)Y — f(X, 7). 



Step 1. Compute Q q as explained in section lCTl lift H, Qj and hence also h and 
/ to Q 9 such that H and Qf remain monic, and compute the resultant r(T) — 
Kesx(H, Qf ■ H'). Let g be the genus and M — xi, Xi an d f as follows from 
the proof of proposition ITTI with TV defined as below. Also (fo := (p(2g — 1) +g. 
Define 



Nt 



log 2 ( 29 ) + 1 + ang/2 



N := Nf + anip + 2ganip, N-p := \2 + 1, 



9 . 

N 2 := N + 12<?(3 + [\og 2 (5g + 1)J) + (10p - l)(p + 5g. 

From now on we work modulo 2 N2 (in the beginning of the algorithm) and T Nr . 
Step 2. Compute the matrices B and D by using formula ©. 
Step 3. Calculate F(0) as explained in j^j, but with the higher accuracy 2 N2 . 
Remark that wc need the small Frobcnius. 

Step 4. Compute K inductively from the equation (JSJ with starting condition 

K = r(0) M F(Q)B(0)- 1 , and find F'{T) := r(T) M F(T). 

After step 4 we can switch to the accuracy N instead of 7V2. 

Step 5. Let ip(z) be the minimal polynomial of 7 over ¥ q , where we suppose 4 

that F 9 (7) = W q n , and let i/j(z) be the Teichmiiller modulus lift of rjj as explained 

in section fSTTl Then Q q n — Q q [z]/ip(z) and z is the Teichmiiller lift of 7. 

Determine 

F(z) = —t\ — • F'(z). 

Step 6. Compute T = 11™= 1 F(z) c ' n * as explained by Kedlaya in [7] and find 
Z(T) as the polynomial det(7 — TT) with coefficients between — 2 N f~ 1 and 
2 N f~ 1 . Output now Z(T) ■ [(1 - T)(l - 2 an T)]- 1 . 



Proposition 19 The above algorithm returns the correct result. 

Proof. The Lefschetz fixed point formula on the Monsky-Washnitzer coho- 
mology gives as explained in [5] that the result is correct if we can compute T 
and Z(T) exactly, and the theory from section[5]and|31implies that if every step 
was done with exact precision, we would indeed find the required matrix T . As 
we cannot work with this infinite precision, we need to show that the chosen 
accuracy is high enough. From the Weil conjectures it follows that T mod 2 N f 
is sufficient to recover the zeta function, and proposition 1111 proves that iVr 
suffices to compute r(j) M F(j) modulo 2 N . The crucial difficulty is to control 
the loss of precision introduced by working with non integral elements of Q q . It 
is clear that computing r, B and D gives no significant loss in precision. For 
computing KB we can bound the introduced error as in theorem ll3l This gives 
that the loss in precision is at most 12g(3 + [\og 2 (5g + 1)J) + (10g — + 5g. 
Here we have added f3 to the result of theorem H3l 

4 This is not crucial, if 7 defines a smaller field then the zeta function over ¥ q n is easily 
derived from it. 
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We should also take notice of possible loss in accuracy in the computation 
of T as a product, which requires an extra arup of accuracy. But as pointed out 
in note El m practice T turns out to have a similar order as F(j), hence this 
increment of N can in practice be chosen lower. Another problem appears in 
the computation of the characteristic polynomial of T . One naive way of doing 
this would be to compute the trace of T % for i = 1 . . . 2g and to use Newton's 
formula 

det(J - TT) = cxp ( - Tr (^)— J > 

which would require an extra precision of 2g + log 2 (2g) from the exponential and 
the denominators k, and 2garup for the trace of T 2a . A better way however is 
explained in 1 . Here we first make T integral by multiplying it with some power 
of 2, and then use a slightly altered version of reduction to the Hessenberg form 
of a matrix, suitable for working in 1 q n . The loss in precision is then 2gamp. 
We can conclude that the values of N and N% are sufficient. 



5 Complexity analysis 
5.1 2-Adic arithmetic 

As central source for this section we use chapter 12 by Vercauteren of [5], and 
we always assume asymptotically fast arithmetic, meaning that basic operations 
can all be done in essentially linear time. We suppose here that we are working 
modulo 2^, hence representing an element of Q2 takes O(N) bits (if its order 
is not too low) and computing with it 0(N) bit operations. Remember that 
q = 2 a . Let ¥ q = F 2 [x]/x(x), then we define Q q = Q2[x]/x( x ) where x 1S the 
Teichmiiller modulus that projects to x- A Teichmiiller modulus is a minimal 
polynomial for Teichmiiller lifts, or equivalently x{x)\x q — x. In jS] an algorithm 
of Harley is given that computes x m time 0(aN). Basic operations, including 
the 2nd power Frobenius automorphism a, need the same amount of time. 

If ip(z) is the minimal polynomial of 7 over F g , we can compute the Teich- 
miiller modulus ip(z) over Q 9 as follows. First determine ip{y) such that Q 9 n = 
Q2[y]/<p(y), f{y)\y 2an — y an d ^(7) = as above, in time O(anN). Second, as 
(p(z) = 0, we have that ipl^P, or ip = ip ■ -0'. Now -0 and (p are known, hence 
0' can be recovered easily, and using Hensel lifting as in |17j gives ip in time 
0(anN). Again this is also the time required for basic operations. 

Computing <r k of an element of Q q ™ can be done trivially by applying k 
times cr, resulting in a complexity of O(kanN). However, further on it will 
be advantageous to be able to compute <j k {z) in a faster way. Indeed, we can 
compute 7 2 in time O(kan) by repeated squaring, and using the generalized 
Newton lifting of [S] we find the Teichmiiller lift of •y 2 , which equals er fc (z), in 
time O(anN). 
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5.2 Analysis of the algorithm 



We use the 2-adic arithmetic always as in the previous paragraph. Let uj be an 
exponent for matrix multiplication, meaning that multiplying two kxk matrices 
over some ring R takes k u operations in R. We can take u> = 2, 376. It is easy 
to check the following bounds: 

V = 0{\ogg) = 0(1), = 0(g\ogg) = 5(g), 

N f =N = N 2 = 0(ang log g) = 0{ang), 
N r = d(gnND) = 0(g 2 annD). 

Computing the lifts of H and Qj costs essentially nothing, and the computation 

of the resultant r(T) can be achieved in time 0(g 1+u " 'aN gn) = (g 3+ul a 2 nn) , 
see e.g. |16j . where we use the fact that we are working with polynomials in F of 
degree at most 0(gn). To determine B and D we have to use formula (0 at most 
O(g) times, and each step requires time 0(aN ■ gn ■ g), which comes from 'Q q ■ 
deg r • deg x '. Together this gives 0(g i a 2 nn). Next we have the recursive formula 
for finding K . Each of the N-p steps consists of 0(gn) multiplications of matrices 
whose entries have size 0(aN), resulting in 0(gKg LU aNNr) = 0(g 4+u3 a 3 n 2 n 2 D). 
The size of K is <D(g 2 aN N?) — (D(g 5 a 3 Kn 2 D), which will be the overall memory 
requirements of the algorithm. Remark that we can ignore the operations for 
finding B a and the like. 

Repeating the complexity analysis of |2] 5 , we can confine ourselves to the 
worst case mentioned there, and as we skip the computation of the norm of 
the matrix, the most time consuming step is step 4 of the algorithm, which 
takes 0(g 3 aN 2 ) = 0(g 5 a 3 n 2 ). The memory requirements are 0(g 4 a 3 n). The 
minimal polynomial ip can be computed in time 0(an^/an + (an) 2 ), see |13j . 
and finding ijj out of t/S takes O(anN) bit operations. 

Let /(r) be an entry of r(r) xl F(r), then we need to find f(z), a substitution 
r <— z that can be done very fast using our Teichmiiller modulus. Indeed, 
we just have to reduce f(z) modulo ijj(z), which takes for the whole of the 
matrix 0(g 2 anNr) = 0(g 5 a 2 Kn 2 D) bit operations. Division by r(z) Xl is again 
neglectable. Remark that until now, where we have found the matrix of the 
small Frobenius, our algorithm has complexity 0(n 2 ) in n. 

For the last step Kedlaya's method consists of the following iteration: Mo := 
F(z) and M; + i = Mf Mi. This requires logn times a matrix multiplication 
over Q q n , which needs time 0(g u anN). The computation of a k on 4g 2 elements 
requires 0(g 2 ■ (k — an) ■ anN) bit operations. 

Combining all these facts gives up to step 5 a complexity of 0(g 4+UJ a 3 K 2 n 2 D) 
bit operations and 0(g 5 a 3 Kn 2 D) bits of memory. Now as 'on average' D = 0(1) 

5 In that paper the memory requirements are actually logg bigger than written there, 
because the computation of the characteristic polynomial of the big Frobenius needs to take 
care of the emerging denominators. However, as we are only interested in the small Frobenius, 
this factor does not appear. 
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— worst case being D — 0(g) — this gives the first term in the first complexity 
and the memory requirements in theorem^ Step 6 gives the second part of the 
time estimate. 

6 Improvements 

6.1 Subcubic counting. 

The most time consuming step in the above algorithm is in fact the determina- 
tion of F(z) a for k of the order O(an), taking time 0(ga 3 n 3 ). It is however 
possible to do this with a faster method. Let a(z) £ ®^ , then the equality 

a(zY — a a (z a ) shows that we only have to compute 4<7 2 logn times 
a a (z a ) with t — O(a) and k — O(an), where a is a polynomial modulo 2 N 
over Q q of degree at most n — 1. The computation of a a takes at most time 
0(aN£n) — 0(ga 2 n 2 ). On the other hand we have the modular composition 
of polynomials a a [z a ). As said before the computation of z a takes only 
0(ga 2 n 2 ) time, and as explained in jS] this composition can be achieved in time 
0(ga 2 n 2 ' 667 ), at the cost of an increase in memory use, resulting in 0(ga 2 n 2 ' 5 ). 
This proves theorem [21 from the introduction. 

6.2 Lots of curves. 

Using fast multipoint evaluation ^7] it is possible to compute 0(n) zeta func- 
tions within one family in time and memory usage 0(n 3 ). The author thanks 
Fre Vercauteren for drawing his attention to the relevance of such results. We 
don't go into all the details, but the main steps needed for this estimate are 
the following. Suppose a = 1, and we only look at the dependency on n. As 
before we compute r(T) Xl F(T) in time 0(n 2 ), and some Teichmiiller modulus 
ip(z). Let 7i, . . . , 7fc be the parameters for which we want to calculate the zeta 
function. Computing all the Teichmiiller lifts 71, . . . ,7fc takes 0(n 3 ) time. For 

2* 

computing the matrices T li we need F(pff ) for t — . . . [log 2 n\ , hence if 
we can find all the a(jf ) for some £ = 0(n) and an analytically continuated 
element a of F(T) in time 0(n 3 ) we are done. 

This is where fast multipoint evaluation pops up. Indeed, computing 7? 
again requires only 0(n 2 ) for each i, and the simultaneous substitution of all 
these values in a takes time 0(n 3 ), which follows from corollary 10.8 in |17| . 
The estimate on the memory is clear, as it will certainly not exceed the time 
requirements. 

Note that this result is also applicable to the situation in [BJ, hence for 
hyperelliptic curves in odd characteristic. 
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6.3 Quadratic counting with GNB. 



If we work over fields ¥ q n where a Gaussian normal basis of type t with t small 
exists (see e.g. [5], section 2.3.3.b, and for the existence of such bases [§]), then 
we can make our algorithm quadratic for some well-chosen parameters. Here 
is an outline of how this works for t — 1 and a = 1, which means we have a 
representation 

F 2 , 2 -. 

x n _|_ x n-l _| \-X+l 

The same minimal polynomial (x n+1 — 1) /{x— 1) can be used over Q2 to represent 
<Q>2", and it is clear that it is a Teichmullcr modulus. Remark that x n+1 = 1, 
which makes computing a lot easier. Suppose now that our parameter 7 equals 
some power of x, say x k . Note that this is a very strong condition, for there 
exist only n + 1 such parameters 7. As explained earlier the crucial step is 
computing a (7) 17 for £ — 0{n) and a some polynomial of degree 0(n) over 
Q2 modulo 2°( n ). Now if a(T) — X)"=o ai ^ 1 ' then we have (using a redundant 
representation, i.e. a non-unique form using the generating set l,x, . . . , x n ) 

m 

a ( 7 )- f = a (aV) = ^ mod n+1 , 

i=0 

and this last expression is easily evaluated. In conclusion this GNB allows us to 
compute the zeta function for certain parameters in time 0(n 2 ). Here too we 
can draw the same conclusions for the odd characteristic case. 
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